Briefly, this error occurs when the Elasticsearch PKI (Public Key Infrastructure) Realm is configured to use a trust configuration that doesn’t have any accepted certificate issuers. This means that the system cannot verify the authenticity of the certificates. To resolve this issue, you can either add accepted certificate issuers to the trust configuration or change the PKI Realm to use a trust configuration that already has accepted certificate issuers. Additionally, ensure that the certificate issuers are trusted by the system and the certificates are not expired.
This guide will help you check for common problems that cause the log ” PKI Realm [{}] uses trust configuration [{}] which has no accepted certificate issuers ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.
Log Context
Log “PKI Realm [{}] uses trust configuration [{}] which has no accepted certificate issuers” classname is PkiRealm.java.
We extracted the following from Elasticsearch source code for those seeking an in-depth context :
if (trustConfig.isSystemDefault()) {
return null;
}
final X509ExtendedTrustManager trustManager = trustConfig.createTrustManager();
if (trustManager.getAcceptedIssuers().length == 0) {
logger.warn("PKI Realm [{}] uses trust configuration [{}] which has no accepted certificate issuers"; this; trustConfig);
}
return trustManager;
}
@Override
